OAuth Access token Validation with Microservices

Question

I am currently thinking about building an application following the microservice architecture. To authorize the user I was thinking of using the OAuth protocol. Now the question is where/when to validate the Access Token. I basically see two possibilities:

1. Each microservice is doing it on it's own (meaning one call that might involve 10 microservices would result in 10 token validations)
2. Introduce an API gateway (which needs to be there anyways I guess) which does the token validation and passes on the user ID, scopes, ... that the other microservices trust and use (which also means that some kind of authentication between the API gateway and the microservice must be there, e.g. client secret!?)

As you probably have already guessed, I tend to go with the second approach. Is that a valid one? Do you have some practical experiece with one of those approaches? Or yould you suggest another approach? I'm looking forward to your comments/remarks on that!

Thanks and regards!

Answer 1

You almost definitely want a public/private split in your microservices architecture. The public side should be authenticating the token, and the private side is used to service calls from other API calls. This way you are only authenticating once per call.

You can accomplish this by, as you said, creating a gateway service, which dispatches those calls to the private services. This is a very common pattern. We have found it useful to authenticate the gateway side to the private API with client certificate authentication, sometimes referred to as two-way SSL. This is a little more secure than a shared-secret (which can easily leak).